File name:

WeGameMiniLoader.std.5.12.21.1022.exe

Full analysis: https://app.any.run/tasks/bbe13f1c-9dbc-4701-9008-a47b236aa2b1
Verdict: Malicious activity
Analysis date: July 13, 2024, 22:02:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qrcode
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

2C337EC80626CE49CA4380EAD23AEDF6

SHA1:

A840D90EFE74A00DAEC2B4470F09A4836E23F308

SHA256:

5BA8182417D0F72FF509B22C0E20110D856321F754E69B7F299D497D73704BB3

SSDEEP:

98304:6eYdOmsTpn0v+Ae1YDYW5HRKvSbRqba2pbc8ul+kWh0QxpI4SRzm9mL/fwGF6uOh:xtBYnawVQcqy2P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • TinyDL.exe (PID: 3124)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • TinyDL.exe (PID: 3124)
      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)

    • Process drops legitimate windows executable

      • TinyDL.exe (PID: 3124)

    • Drops 7-zip archiver for unpacking

      • TinyDL.exe (PID: 3124)

    • The process creates files with name similar to system file names

      • TinyDL.exe (PID: 3124)

    • Drops a system driver (possible attempt to evade defenses)

      • TinyDL.exe (PID: 3124)

    • The process drops C-runtime libraries

      • TinyDL.exe (PID: 3124)

  • INFO

    • Checks supported languages

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • TinyDL.exe (PID: 3124)
      • WeGameMiniLoader.exe (PID: 2748)

    • Creates files or folders in the user directory

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • TinyDL.exe (PID: 3124)
      • WeGameMiniLoader.exe (PID: 2748)

    • Reads the computer name

      • WeGameMiniLoader.exe (PID: 2748)
      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • TinyDL.exe (PID: 3124)

    • Creates files in the program directory

      • WeGameMiniLoader.exe (PID: 2748)
      • TinyDL.exe (PID: 3124)

    • Reads the machine GUID from the registry

      • WeGameMiniLoader.exe (PID: 2748)
      • TinyDL.exe (PID: 3124)

    • Create files in a temporary directory

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)

    • Manual execution by a user

      • explorer.exe (PID: 3080)
      • explorer.exe (PID: 324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:11:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27648
InitializedDataSize: 122880
UninitializedDataSize: 1024
EntryPoint: 0x396c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.12.21.1022
ProductVersionNumber: 5.12.21.1022
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Windows, Chinese (Simplified)
Comments: -
CompanyName: Tencent
FileDescription: -
FileVersion: 5.12.21.1022
LegalCopyright: -
LegalTrademarks: -
ProductName: WeGame
ProductVersion: 5.12.21.1022
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wegameminiloader.std.5.12.21.1022.exe wegameminiloader.exe tinydl.exe explorer.exe no specs explorer.exe no specs wegameminiloader.std.5.12.21.1022.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2748"C:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\WeGameMiniLoader.exe" C:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\WeGameMiniLoader.exe
WeGameMiniLoader.std.5.12.21.1022.exe
User:
admin
Integrity Level:
HIGH
Description:
WeGame下载器
Version:
5.12.21.1022
Modules
Images
c:\users\admin\appdata\local\wegame\wegameminiloader(55555)\wegameminiloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3080"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3124session=1 uid=0 parent="C:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\WeGameMiniLoader.exe"C:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\tiny_dl\TinyDL.exe
WeGameMiniLoader.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Version:
1.0.3.0
Modules
Images
c:\users\admin\appdata\local\wegame\wegameminiloader(55555)\tiny_dl\tinydl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
3208"C:\Users\admin\AppData\Local\Temp\WeGameMiniLoader.std.5.12.21.1022.exe" C:\Users\admin\AppData\Local\Temp\WeGameMiniLoader.std.5.12.21.1022.exe
explorer.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Version:
5.12.21.1022
Modules
Images
c:\users\admin\appdata\local\temp\wegameminiloader.std.5.12.21.1022.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3392"C:\Users\admin\AppData\Local\Temp\WeGameMiniLoader.std.5.12.21.1022.exe" C:\Users\admin\AppData\Local\Temp\WeGameMiniLoader.std.5.12.21.1022.exeexplorer.exe
User:
admin
Company:
Tencent
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
5.12.21.1022
Modules
Images
c:\users\admin\appdata\local\temp\wegameminiloader.std.5.12.21.1022.exe
c:\windows\system32\ntdll.dll
Total events
3 519
Read events
3 519
Write events
0
Delete events
0

Modification events

No data
Executable files
653
Suspicious files
260
Text files
863
Unknown types
1

Dropped files

PID
Process
Filename
Type
3124TinyDL.exeC:\Program Files\WeGame\qbblinktrial\libcef.dll
MD5:
SHA256:
3124TinyDL.exeC:\Program Files\WeGame\data\json_db\base_game_oss.local
MD5:
SHA256:
3124TinyDL.exeC:\Program Files\WeGame\data\client_ui.vfs
MD5:
SHA256:
3208WeGameMiniLoader.std.5.12.21.1022.exeC:\Users\admin\AppData\Local\Temp\nsfEA7D.tmp\NSISPlugin.dllexecutable
MD5:362EDDF4162293770BCFF8FA9BFABB7F
SHA256:F2B73BA3CA42DD9097727F6E0AABFA63B566C2D78BE0D41791D72C6D16240D78
3124TinyDL.exeC:\Program Files\WeGame\tpf_ui.vfs
MD5:
SHA256:
3124TinyDL.exeC:\Program Files\WeGame\apps\Pallas\lolguide\LOLRes.vfs
MD5:
SHA256:
3208WeGameMiniLoader.std.5.12.21.1022.exeC:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\icon.icoimage
MD5:B1BD0B6DDD17CA3ACEA5A8DE95D5BF95
SHA256:77559382F19D9E7C362B1C21C21E5B1BAB7E8DBEFA51B7DA95A1A49D5943079E
3208WeGameMiniLoader.std.5.12.21.1022.exeC:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\tiny_dl\signature.datbinary
MD5:74E2FFC3824F444096F95DEC37F162F3
SHA256:6A82710DC240C4DDC576E4CABF4DB9719ED78EDD02C1428E7A13D1306F97E0A2
3124TinyDL.exeC:\Program Files\WeGame\tenprotect\TASLoginBase.dllexecutable
MD5:142085FB6541E058E6E109E30BAEC938
SHA256:D277300120B1C9546A1A4FF4501592F3CB5CAA7B6BFE229CC603D2581149C79C
3124TinyDL.exeC:\Program Files\WeGame\tiny_cache\Game_55555.localbinary
MD5:C78A359612CB3161CC2F3FA67434646C
SHA256:0840BFC58E27AC00ECD46DA213C2C4FC4ECA32042E7746222C133680408AEC7F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3 059
TCP/UDP connections
26
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/bc/bcfca5c4280707efa2606b74335b175ab834f547e50bd1cda28dc46dee9b9cd2.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/b2/b227c06ba70bf6f69ac36364c4e58ae18d5df22258c3ea3739462886f4f66b06.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/6f/6f6ef7179a02d7923b400b3fda9c90369b97fb54be8d9ce13792958249f289ca.wgc
unknown
whitelisted
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/manifest/10974_3198251187778410138_0.wgj
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/df/df00d88127aeef4709ab3a037b004c6e52ac0a7481d7f2c5e015b4ae1a39121f.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/fd/fd2ceddb9d35cc19c13379e862e89b8bdd13873fae52060d6a4aa477ad8d0f14.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/c5/c5fe784779cd03e06715408e948e8e4b4141520e81cfa44237ee0f7a1893a86f.wgc
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
2748
WeGameMiniLoader.exe
116.130.229.213:8000
ied-tqos.qq.com
unknown
2748
WeGameMiniLoader.exe
49.51.20.228:443
www.wegame.com.cn
Tencent Building, Kejizhongyi Avenue
CA
unknown
3124
TinyDL.exe
49.51.20.228:443
www.wegame.com.cn
Tencent Building, Kejizhongyi Avenue
CA
unknown
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
ied-tqos.qq.com
  • 116.130.229.213
whitelisted
www.wegame.com.cn
  • 49.51.20.228
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
down.qq.com
  • 43.152.29.15
  • 43.152.29.20
  • 43.152.137.29
whitelisted

Threats

No threats detected
Process
Message
WeGameMiniLoader.std.5.12.21.1022.exe
[NSISPlugin][TQosReport] TQos Server Address: , Port: 0, TQos ID: 0
WeGameMiniLoader.std.5.12.21.1022.exe
[NSISPlugin][TQosReport] Create TQos API Handle Error: tqos_get_qosconnd_iplist fail
WeGameMiniLoader.std.5.12.21.1022.exe
[NSISPlugin][TQosReport] TQos Server Address: , Port: 0, TQos ID: 0
WeGameMiniLoader.std.5.12.21.1022.exe
[NSISPlugin][TQosReport] Create TQos API Handle Error: tqos_get_qosconnd_iplist fail
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WeGameMiniLoader.std.5.12.21.1022.exe